Just as it appeared all hope was lost for federal action in the facing the onslaught of data breaches, the F.T.C. has lately ridden in like the cavalry. On August 24, 2015, the Third Circuit Court of Appeals held that this role was within its jurisdiction.
The Court held that the agency had legislative authority to bring its enforcement action against Wyndham Worldwide Corporation alleging unfair and deceptive trade practices with regard to the corporation’s representations as to security and confidentiality of credit card and other information of hotel guests that was compromised in three separate cyber attacks in 2008 and 2009. The decision mitigates uncertainty that the Commission could bring proceedings where, as here, an organization’s cybersecurity safeguards alleged to be deficient, leading to a compromise of confidential information. In the absence of Congressional action on information security, more F.T.C. proceedings are undoubtedly on the horizon.
The F.T.C. alleged that Wyndham had engaged in unfair trade practices by representing that it used “industry standard security practices” while failing to provide reasonable safeguards for guests’ data, such as firewalls and software that could receive security updates. Among other things, the Commission alleged that “Wyndham-branded hotels stored payment card information in clear readable text,” hotel servers allowed access to the Wyndham network through “default user ID’s easily available to hackers,” “and firewalls were not appropriately utilized.”
The arguments before the Court focused on the legislative authority to bring the action and whether Wyndham had fair notice of the agency’s cybersecurity guidelines for commencement of proceedings. The Court disposed of the regulatory authority argument by holding that authority to proceed against “unfair” trade practices allows the F.T.C. to proceed where the representations as to information security are not met in practice. Wyndham served up an interesting argument that such unfairness authority could extend to a supermarket that failed to clean up banana peels. That argument was sharply returned by Judge Ambo, who wrote the opinion for a unanimous court, stating that had 619,000 customers (the number of guest whose information was compromised) slipped on banana peels in a Wyndham supermarket, “(it would) hardly suggest (Wyndham) should be immune from liability.”
The Court disposed of the fair notice argument, that the F.T.C. had not provided reasonable notice that unreasonable cybersecurity was “unfair,” by holding that, for purposes of this motion, the only notice to which Wyndham was entitled was notice of the meaning of the statute, not the agency’s interpretation of it. This issue may rear its head again in motions ruling trial, after evidence has been adduced, or perhaps post-trial.
If you have questions regarding potential F.T.C. liability in cyber attacks or breaches, please call Kenneth N. Rashbaum.